I am trying to apply acl:s to vty on a ASR9k router.
I am doing the following, and this works...
! IOS-XR !------- ipv4 access-list VTY-ACL 10 permit ipv4 10.0.0.0 0.0.0.255 any 20 deny ipv4 any any log ! ipv6 access-list VTY-ACL 10 permit ipv6 2001:DB8::/32 any 20 deny ipv6 any any log ! vty-pool default 0 10 line default access-class ingress VTY-ACL !
The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.
Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.